(This message was also submitted to <fedora-legacy-list@xxxxxxxxxx> ... I recommend replying to both lists, if you would, please). Hello Fedora Legacy and Extras folks, This below RHEL advisory just came out, along with advisories like this for Thunderbird and for Firefox. We in Legacy need to get busy on these, because they are critical bugs, and we haven't updated any Firefox, Thunderbird, or SeaMonkey (er, Mozilla) packages in a LONG time. There are some old Bugzilla's that had been open for RHL 7.3, RHL 9, FC 1, FC 2, and FC 3 for Mozilla. There has been a running discussion (and no action -- largely my fault -- sorry!) about how and whether we upgrade Mozilla to SeaMonkey so that SeaMonkey becomes a Mozilla replacement (Core) package rather than an Extras package on a Bugzilla ticket for SeaMonkey. The Bugzilla number is 209167: <https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=209167>. My understanding is that Michal Jaegermann (Fedora Legacy contributor) has done work on at least one or more previous versions of SeaMonkey, having created (FC4?) packages that should, once installed, act as a Mozilla replacement, not unlike what the RHEL packages mentioned in RHSA-2006-0734 do. The advantage of having SeaMonkey do this is that all other packages (such as yelp, epiphany, possibly others) will inherit the more secure code from SeaMonkey, since they tap into the shared-library (.so) files that SeaMonkey would be providing. My understanding then also would be that SeaMonkey is meant to be API compatible with Mozilla, so that other programs that depend on functions (or objects) in Mozilla's shared-library should continue to work okay, possibly without recompilation, but probably requiring recompilation and pushing to updates. Does anyone have any comments on how you wish the Legacy Project to approach this? I favor SeaMonkey as a Mozilla replacement, as it covers all vulnerabilities in packages that dynamically link to the shared libraries. But perhaps there are other ideas. Since Legacy Mozilla/Firefox/Thunderbird security bugs have been open since June (and not worked on), I also advocate that we in Legacy build SeaMonkey packages for *all* releases of Fedora Core that we have ever supported (since older releases were supported at that time) and RHL 7.3 and RHL 9. Does anyone object to that? What say ye?? Regards, David Eisenstein -------- Original Message -------- Subject: [RHSA-2006:0734-01] Critical: seamonkey security update Date: Wed, 8 Nov 2006 04:48:59 -0500 From: bugzilla@xxxxxxxxxx To: enterprise-watch-list@xxxxxxxxxx --------------------------------------------------------------------- Red Hat Security Advisory Synopsis: Critical: seamonkey security update Advisory ID: RHSA-2006:0734-01 Advisory URL: https://rhn.redhat.com/errata/RHSA-2006-0734.html Issue date: 2006-11-08 Updated on: 2006-11-08 Product: Red Hat Enterprise Linux CVE Names: CVE-2006-5462 CVE-2006-5463 CVE-2006-5464 CVE-2006-5747 CVE-2006-5748 --------------------------------------------------------------------- 1. Summary: Updated seamonkey packages that fix several security bugs are now available for Red Hat Enterprise Linux 2.1, 3, and 4. This update has been rated as having critical security impact by the Red Hat Security Response Team. 2. Relevant releases/architectures: ... (RHEL 2.1, RHEL 3, RHEL 4) ... 3. Problem description: SeaMonkey is an open source Web browser, advanced email and newsgroup client, IRC chat client, and HTML editor. Several flaws were found in the way SeaMonkey processes certain malformed Javascript code. A malicious web page could cause the execution of Javascript code in such a way that could cause SeaMonkey to crash or execute arbitrary code as the user running SeaMonkey. (CVE-2006-5463, CVE-2006-5747, CVE-2006-5748) Several flaws were found in the way SeaMonkey renders web pages. A malicious web page could cause the browser to crash or possibly execute arbitrary code as the user running SeaMonkey. (CVE-2006-5464) A flaw was found in the way SeaMonkey verifies RSA signatures. For RSA keys with exponent 3 it is possible for an attacker to forge a signature that would be incorrectly verified by the NSS library. SeaMonkey as shipped trusts several root Certificate Authorities that use exponent 3. An attacker could have created a carefully crafted SSL certificate which be incorrectly trusted when their site was visited by a victim. This flaw was previously thought to be fixed in SeaMonkey 1.0.5, however Ulrich Kuehn discovered the fix was incomplete (CVE-2006-5462) Users of SeaMonkey are advised to upgrade to these erratum packages, which contains SeaMonkey version 1.0.6 that corrects these issues. <<snip>> -- Enterprise-watch-list mailing list Enterprise-watch-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/enterprise-watch-list
Attachment:
signature.asc
Description: OpenPGP digital signature
-- Fedora-maintainers mailing list Fedora-maintainers@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-maintainers
-- Fedora-maintainers-readonly mailing list Fedora-maintainers-readonly@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-maintainers-readonly
